The new TrickBot Banking Trojan seems to have been developed by Dyre authors

Researchers at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan is now behind the new Trickbot malware.

This morning I published a post on the data provided by Group-IB on crime trends, the report published by the security firm reveals a continuous evolution of cybercriminal ecosystem. The story that I’m going to tell you confirms this rapid evolution, at least one of the author behind the infamous Dyre banking Trojan (aka Dyreza) is apparently working on a new banking Trojan dubbed ‘TrickBot.’

The Dyreza botnet infected hundreds of thousands of machines worldwide, according to the Heimdal Security, in November 2015 more than 80.000 machines were already infected with Dyre Trojan across the world. Security experts estimated that users of more than 1000 financial institutions have fallen victim of the threat.

In November 2015, Dyre activity ceased, the Reuters agency also reported authorities raided offices of a Russian film distribution and production company as part of an operation against the Dyre gang.

The operation of the Russian police successfully beheaded the organization behind the Dyre Trojan,

“We have seen a disruption over the last few months that is definitely consistent with successful law enforcement action,” explained security expert John Miller from iSight Partners.

Now security experts at Fidelis Cybersecurity believe that someone behind the development of the Dyre banking Trojan has escaped the arrest and he is now participating in a new project.

Researchers at Fidelis Cybersecurity that are monitoring the evolution of the TrickBot malware speculate it has a strong connection to Dyre banking trojan.

The security firm first spotted the TrickBot malware in September while it was used by crooks to target the customers of Australian banks (ANZ, Westpac, St. George and NAB).

The first TrickBot samples analyzed by the experts were implementing a single data stealer module, but a few weeks later, the researchers discovered a new sample including webinjects that appear to be in the testing phase.

“In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has a strong connection to the Dyre banking trojan. From first glance at the loader, called TrickLoader, there are some striking similarities between it and the loader that Dyre commonly used. It isn’t until you decode out the bot, however, that the similarities become staggering.” reads the analysis published by Fidelis Cybersecurity.

“This would suggest, but is far from conclusive, that some individuals related to the development of Dyre have found their way into resuming criminal operations.”

TrickBot and Dyre have many similarities, the code of the new banking trojan seems to have been rewritten with a different coding style, but maintaining many functionalities.

TrickBot includes more C++ code, compared to Dyre, which is mostly written using the programming language C. Another difference is that the new trojan leverages on the Microsoft CryptoAPI instead of built-in functions for AES and SHA-256 hashing.

Below the main differences highlighted in the analysis:

Instead of running commands directly the bot interfaces with TaskScheduler through COM for persistence

There is considerably more code in the C++ programming language versus the original Dyre that used C for the most part.

“Based on these observations, it is our assessment with strong confidence that there is a clear link between Dyre and TrickBot but that there is considerable new development that has been invested into TrickBot. With moderate confidence, we assess that one of more of the original developers of Dyre is involved with TrickBot.” states the post.

The analysis of the custom crypter revealed that the malware loader (TrickLoader) is the same used by other malware such as Vawtrak, Pushdo and Cutwail malware. This last malware is associated with the spambot used by threat actor behind the Dyre threat, this element suggests that cybercriminals are trying to rebuild the Cutwail botnet.

For further information give a look at the post that includes a full list of IOCs and hashes.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.